Skip to main content

Prerequisites

Please ensure the following requirements are met

  • FortiGate with
    • FortiOS v7.2.8 Special Build 8993 (incorporates the Securosys PKCS#11 Provider v2.2.2) or
    • FortiOS v7.2.8 Special Build 9127 and newer (incorporates the Securosys PKCS#11 Provider v2.2.4)
  • CloudHSM partition (HSM as a Service) or Primus HSM, firmware v2.8.21 or newer with PKCS#11 API enabled.

HSM/CloudHSM Setup and Configuration

For genereal on-premises Primus HSM hardware, HA Cluster setup and operation in FIPS or Common Criteria certified modes, refer to the corresponding Primus HSM User Guide for details.

Securosys CloudHSM allows almost instant HSM operation by selecting and contracting the different services and options for your FortiGate. For available service packages and options consult our website Securosys CloudHSM Service and contact Securosys sales.

The HSM must be initialized, and a specific user (partition) must be set up.

Verify that

  • the PKCS#11 API is licensed and enabled, and the PKCS#11 password is defined
  • a fresh valid user setup password is retrieved for client onboarding
  • the Security Policy is restricted (disable Import/Export/Extract)

Enable PKCS#11 API

The API must be enabled on device and user level.

  • Setup Configuration Security Device Security Crypto Policy PKCS#11: enabled
  • Setup Configuration Security User Security (user name) PKCS#11: enabled

Set PKCS#11 Password

Assuming that user level configuration is used.

  • Setup Configuration Security User Security (user name) PKCS#11 password

Retrieve a New Setup Password

To generate a new setup password for the specific partition

  • Roles User New Setup Pw

Disable Wrapped Key Export, Key Extract, and Key Import

  • Setup Configuration Security User Security (user name) Key export: disabled
  • Setup Configuration Security User Security (user name) Key extract: disabled
  • Setup Configuration Security User Security (user name) Key import: disabled